news221111

FFT news digest Nov 11 2022

Twitter

Say what you like about Elon Musk but watching him trying to work out what to do with Twitter in real time is providing rich entertainment. His solution to the much mocked $8 a month verification scheme was to create a new 'grey' tick to denote "official" accounts and differentiate them from the blue ticks that anyone can buy. No sooner was it announced (and received with moderate enthusiasm) than Musk popped up to say, "I just killed it. Blue check will be the great leveller." A day later, the grey tick was back, at least in some places - and for some accounts the subscription blue version had disappeared.

That's hardly surprising given the chaos that preceded it. Amid complete confusion about who was who and what was what, multiple high profile impersonations flooded the platform. These included Eli Lilly apparently tweeting "insulin is now free," and Nintendo (which resulted in Mario spending a couple of hours on the site with his middle finger firmly raised). While amusing, the chaos raises serious security issues. We certainly wouldn't entrust any sensitive conversations to the platform. And please ignore any messages you see about paying for verification because almost all of them are malicious.

The diet of chaos proved too rich for some key executives who had survived Musk's arrival. The company’s chief privacy officer, chief information security officer, and chief compliance officer all resigned, according to The Verge. The US Federal Trade Commission has already expressed "deep concern" about the goings on at Twitter. The Washington Post quoted a Twitter employee as saying the quick release of products and changes without effective security reviews was “extremely dangerous” for users. Meanwhile, in a town hall meeting with his remaining staff, Musk outlined his vision for Twitter, much of which seems to amount to a US equivalent of the Chinese platform, WeChat.

Threats

Phishing: As phishing attacks continue to increase, scumbags are focusing on mobile and personal communication channels to reach employees. SlashNext recorded a 50% increase in these attacks, with scams and credential theft the most popular payloads.

LinkedIn: Attackers are stealing LinkedIn credentials by persuading victims to reset their credentials on a fake webpage. Once they have them, they use them to impersonate the genuine account. Armorblox

MFA: A salutary warning that multi-factor authentication methods may be phishing resistant, but that doesn't mean the people using them are "un-phishable." KnowBe4

Baby monitors: There's an uncomfortably long list of instances in which baby monitors have been hacked. Many of these devices are horribly insecure. ESET has advice.

Law firms: Attackers are impersonating major law firms and consultancies (including Deloitte and Clifford Chance) to trick financial departments into paying overdue fake invoices. Abnormal

Browser extensions: Another reminder to be careful about installing extensions/add-ons to web browsers. Zimperium has spotted a campaign which offers a (barely credible) Adobe Flash extension designed to compromise the target computer in multiple ways. Zimperium

Q&A: Sucuri says attackers have managed to compromise almost 15,000 websites to redirect visitors to fake Q&A discussion forums.

Passwords

Every scumbag wants your passwords, which explains the ridiculous increase in the number of password-based attacks. Microsoft says this reached an estimated 921 attacks every second, equivalent to a 74% rise in just one year. Despite these statistics, according to Microsoft, 90% of accounts that get hacked aren't protected by 'strong authentication,' i.e. multi factor authentication. Meanwhile, PCMatic says over half of internet users don't have a password protecting their home WiFi connection. Many home routers come with a unique password. If they don't, it's essential to change it immediately. As Microsoft points out, "basic security hygiene protects against 98% of attacks."

Spyware

A draft report from the European Parliament's spyware inquiry has called for an immediate moratorium on the sale, acquisition, transfer, and use of tools such as Pegasus. “The abuse of spyware in EU [member states] is a grave threat to democracy on the entire continent & just at the time when we need democracy more than ever,” the inquiry's rapporteur said. However, almost immediately, the inquiry's chair issued a statement playing down the significance of the draft report, telling everyone to wait for the final version. This is a deeply contentious issue for the EU, given the use of spyware by multiple EU governments to target journalists, activists and human rights defenders.

In brief

Nation states: China is hoarding undisclosed security vulnerabilities for use against its adversaries, according to Microsoft's 2022 Digital Defense Report. It also says nation-state attacks on critical infrastructure have soared, largely due to Russian cyber operations targeting Ukraine and its allies. It says organisations need to focus more on security to protect themselves.

UK: The National Cyber Security Centre has begun scanning every device hosted in the UK that's connected to the internet. It says the aim is to "better understand the vulnerability and security of the UK," and it will minimise the amount of personal data gathered. It sounds Orwellian, but it's less invasive than the data gathering done by social media companies and tech giants like Google.

iPhone tracking: Despite its oft trumpeted dedication to security and privacy, researchers say many of Apple’s own apps continue to collect personal data even when they're told not to. Gizmodo

Note to self: Rewind.ai is an app that records everything that's happened on your Mac so you never forget anything. It can literally replay what you saw, heard or browsed at a specific time and it uses “mind-boggling compression” so that it doesn't fill up your storage. An interesting idea and, potentially, security horror show. 9to5Mac

Facial: A privacy advocacy group has filed a legal complaint against Pimeyes, a face recognition search engine. Big Brother Watch says Pimeyes is a threat to the privacy of millions of UK residents because it enables people to look for faces in images which have been posted publicly on the internet.

Headphones: Japanese telecom giant NTT says it's devised a way to prevent sound leaking from headphones, even the open-ear ones. The solution is a speaker enclosure that it claims retains the sound in a "very small space." The Register